[Freeipa-users] still failing to get a RHEL 5 client to join, LDAP bind issue?
Rob Crittenden
rcritten at redhat.com
Fri Jul 26 12:48:43 UTC 2013
Armstrong, Kenneth Lawrence wrote:
> I am still having issues trying to get a RHEL 5.9 client to join a RHEL
> 6.4 IdM domain.
>
> All packages on both systems updated.
>
> First problem is this:
>
> ipa-client-install --server lnxrealmtest01.liberty.edu --domain
> lnxrealmtest.liberty.edu --enable-dns-updates
>
> Which fails with:
>
> root : ERROR Cannot obtain CA certificate
> 'ldap://lnxrealmtest01.liberty.edu' doesn't have a certificate.
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> All of the appropriate ports are open on the IdM server, and I verified
> this by telnetting to all of them.
>
> I worked around this by running this:
>
> wget -O /etc/ipa/ca.crt http://lnxrealmtest01.liberty.edu/ipa/config/ca.crt
>
> Then ran:
>
> ipa-client-install --server lnxrealmtest01.lnxrealmtest.liberty.edu
> --domain lnxrealmtest.liberty.edu --enable-dns-updates --no-ntp
> --ca-cert-file=/etc/ipa/ca.crt
>
> And I was having better results, so apparently the RHEL 5.9
> ipa-client-install does not want to download my cert.
>
>
> On to the next problem:
>
>
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for admin at LNXREALMTEST.LIBERTY.EDU
> <mailto:admin at LNXREALMTEST.LIBERTY.EDU>:
>
> Joining realm failed: SASL Bind failed Local error (-2) !
> child exited with 9
> Installation failed. Rolling back changes.
>
>
> It is the same user that I use to login to the web interface, and I am
> 100% positive that I am not entering the password incorrectly. So why
> else would the admin user not be able to bind to my IdM setup?
The client install log may have more details. And I'd check the KDC log
(on server /var/log/krb5kdc.log) to see why the bind failed.
rob
More information about the Freeipa-users
mailing list